Blauer Hintergrund

Offensive Security

Find vulnerabilities. Close risks. Prove security.

Rely on security that can be proven. carmasec tests your systems using the same methods real attackers use. Structured. Documented. With priorities your team can implement immediately.

Our services Ready for a pentest?

tested. done. right.

Attacks are increasing and damage is growing rapidly

Successful attacks are rarely accidental. They follow patterns, exploit known gaps, and fail against defenses that have actually been tested. AI is accelerating the attacker side: vulnerability discovery, exploit development, and social engineering are becoming faster, more targeted, and harder to detect. Offensive Security provides that proof. The results show where defensive measures work and where they do not—and create the evidence base required by, among others, NIS-2, DORA, and ISO 27001.

Vernetztes-Schutzschild-mit-Haken-Icon

Penetration Testing

No more guesswork. Your organization knows where it is vulnerable. Every finding is prioritized by risk, the attack path is documented, and concrete countermeasures are provided. Your team knows what to do first.

  • Web application
  • API
  • Network
  • Active Directory
  • Endpoint
  • Mobile
  • Cloud platform
  • AI pentesting

Learn more

Code-Analyse-Icon

Red Teaming & TLPT

Does your detection work when it matters? Over several weeks, we simulate the full attack path through to business-critical processes—based on threat intelligence and real attacker profiles. The result is a robust assessment of your operational resilience. TLPT-compliant under DORA and TIBER-EU.

  • Threat intelligence-led attack simulation
  • Adversary emulation
  • TLPT
  • Detection & response test
  • Resilience assessment

 

Hacker-am-Laptop-Icon

Attack simulations

Blind spots are what will hit you in an incident. We simulate ransomware behavior, command-and-control communication, and data exfiltration under controlled conditions. You see in black and white what your SOC detects and where it fails. We build on that and sharpen your defense structures in a targeted way.

  • Ransomware simulation
  • Botnet traffic (C2)
  • Data exfiltration

 

Nutzer-mit-Schutzschild-Icon

Social Engineering & Awareness

People are not a security problem. They are a security factor—if they know what attacks look like. Phishing campaigns and live hacking sessions make threats tangible and show where awareness measures actually work.

  • Phishing campaigns
  • Spear phishing
  • Awareness training
  • Live hacking
Sprechblasen-Icon

Not sure which service fits yet?

In an initial conversation, we will clarify together which approach makes sense for your situation.

Contact us now

Why act now?

Increasing Threat Landscape

Cloud, AI systems, IoT, and hybrid work models continuously expand the attack surface. Attackers use automated tools and orchestrated campaigns.

AI as an Attacker Tool

AI accelerates the attacker side. Phishing becomes more precise, exploits are developed faster, attack chains become harder to detect.

Regulatory Pressure

NIS-2, DORA, CRA, and EU AI Act make technical security assessments a mandatory requirement.

Resilience instead of pure defense

Ransomware attacks, IT outages, and supply chain disruptions can paralyze business processes within minutes. What matters is whether the organization remains capable of action.

Lächelndes Porträtfoto von Pascal Waffenschmidt, Senior Security Consultant bei der carmasec.
27 Sekunden ist der Rekord. 65 % schneller als noch ein Jahr zuvor. Angriffe skalieren mit KI – Sichtbarkeit auf die eigene Angriffsfläche nicht. Genau da entsteht das Risiko. Was passiert in dieser Zeit bei euch?

Pascal Waffenschmidt, Senior Security Consultant

Blauer Hintergrund
Vorschau des carmasec-Playbooks

Weniger Risiko, mehr Resilienz.

Wie Compliance und echte Abwehr zusammenwirken.

Dieses Playbook zeigt CISOs und IT-Sicherheitsteams, wie Schutzmaßnahmen dort greifen, wo Angreifende wirklich ansetzen.

Download Whitepaper

Whether start-up, mid-sized company, or corporation: We find the right solution

Trust is built through results

100%

der zugesagten Projektziele erreicht

»Professionell, flexibel, nahbar und vor allem: erfolgreich. carmasec hat geliefert, was versprochen wurde.«
Logo von Bruker

Bruker Optics

40%

mehr Transparenz über den Sicherheitsstatus durch definierte KPIs

»Mit Unterstützung von carmasec haben wir KPIs definiert und einen höheren Grad an Transparenz und Akzeptanz geschaffen.«

DKV Mobility Services

100%

der Projektergebnisse dokumentiert und nachweisbar übergeben

 

»Mit carmasec fanden wir einen vertrauenswürdigen Partner, der uns bei der Umsetzung unterstützte und einen umfangreichen Ergebnisbericht lieferte. Wir empfehlen carmasec uneingeschränkt weiter.«

ELIGO

100%

der identifizierten Schwachstellen mit konkreten Handlungsempfehlungen dokumentiert

 

»carmasec leistete einen nennenswerten Beitrag zur Sicherheit unserer Dienste. Professionelle Beratung, saubere Durchführung. Für Infrastruktur-Pentests empfehlen wir carmasec uneingeschränkt.«

tyntec GmbH

Warum carmasec?

Viele Anbieter testen. Der Unterschied liegt darin, was danach passiert.

Threat Informed Defense als Methodik

Unsere Angriffssimulationen basieren auf dokumentierten Techniken realer Angreifer:innen nach MITRE ATT&CK. Kein generischer Scope.

Vendor-unabhängig

Wir empfehlen keine Tools, weil wir deren Partner sind. Wir empfehlen, was fachlich passt. Das gilt für Methoden, für Scope und für den Bericht.

Persönlich

Kein Ticket-System, kein offshore Delivery. Direkte Kommunikation mit den Expert:innen, die testen.

Frequently asked questions about Offensive Security

How does a manual pentest differ from a vulnerability scan?

A vulnerability scan runs automated checks based on known patterns. A manual pentest combines this baseline with creative approaches, tailored attack chains, and context about your specific environment. This produces realistic scenarios that automated tools alone cannot replicate.

How often should we run penetration tests?

At least annually. In addition, after significant changes such as new applications, major releases, cloud migrations, or new AI solutions. For particularly critical systems, a shorter cycle may be appropriate.

 

Do we only receive a report, or do you also support implementation?

Both are possible. By default, you receive clear, risk-based reporting. If desired, we support implementation, the remediation roadmap, and technical hardening. Including a retest.

What is the difference between a penetration test and red teaming, and when do we need which?

A penetration test assesses defined systems within a limited time frame. The goal is a comprehensive vulnerability analysis with documented findings. Red teaming simulates a real attack over weeks without a defined scope, based on actual attacker profiles. The goal is not full coverage, but proof of whether an attacker can reach a business-critical objective. If you want to know where vulnerabilities are, you need a pentest. If you want to know whether your detection and response work in an incident, you need red teaming.

We are not a financial institution. Is TLPT still relevant for us?

TLPT is a regulatory requirement for certain financial institutions under DORA. For everyone else, the principle is still relevant: threat-led penetration testing aligns attack simulations with real threat profiles, not generic checklists. Organizations that operate critical infrastructure or work in regulated industries benefit from the same approach without a formal TLPT obligation.

Our development teams work agile. How can Offensive Security be integrated into ongoing release cycles?

Offensive Security does not have to be treated as a one-off project. Penetration tests can be limited to individual releases or new features. Attack simulations can run in parallel with operations. During scoping, we define together which approach fits your development cycles without interrupting operations.

What exactly does an attack simulation test that a classic pentest does not cover?

A penetration test finds vulnerabilities. An attack simulation tests whether your detection and response mechanisms identify those vulnerabilities and respond correctly. Ransomware behavior, command-and-control traffic, and data exfiltration are replicated under controlled conditions. The key question is not only: Is there a gap? But: Would your SOC notice an attack through it?

Do our employees need to know that a phishing campaign is running?

That depends on the objective. Unannounced campaigns deliver more realistic results on the organization’s actual maturity level. Announced campaigns have a stronger awareness effect. Both are possible and legally permissible if the framework conditions are clearly defined. We clarify this during scoping together with your HR and legal departments.

How do you protect confidential systems and data during an engagement?

Every engagement starts with a defined scoping document: target systems, exclusions, time windows, points of contact, and emergency processes. We work exclusively within the agreed framework. Findings are transmitted in encrypted form and are not communicated via insecure channels. Confidentiality is governed contractually.

Do penetration tests and red teaming meet the requirements of NIS-2 and DORA?

Yes. DORA requires regular resilience testing for certain financial institutions, including TLPT under TIBER-EU. NIS-2 expects technical security testing as part of risk management. ISO 27001 requires evidence that implemented controls have been tested for effectiveness. Our reports are audit-proof and aligned with the evidence requirements of the respective regulations.

What happens after the test, and who implements the measures?

The report prioritizes findings by risk and provides concrete countermeasures. If desired, we support implementation, verify measures in a retest, and derive a security roadmap from the results. Technical measures are implemented by our defense team. Findings with governance or compliance relevance flow directly into your ISMS and your evidence documentation for ISO 27001, NIS-2, and DORA. Offensive, defense, and governance work in a continuous cycle at carmasec.

Kontakt

Bereit für den Realitätscheck?

Du willst wissen, wie weit ein Angreifender in die eigene Infrastruktur vordringen würde? In einem ersten Gespräch klären wir gemeinsam, welcher Ansatz zur konkreten Situation passt, welche Systeme im Fokus stehen sollten und was ein realistisches Bedrohungsbild für euer Unternehmen bedeutet.

Porträtfoto von Timm Börgers, Geschäftsführer bei der carmasec.
Timm Börgers
Geschäftsführer
+49 (0)201 426 385 905
vertrieb@carmasec.com